Skip to main content

AWS API calls indicating infrastructure modification using CloudFormation

ID:aws_cloudformation_modify
Data type:AWS CloudTrail
Severity:
Informational
-
Medium

Description.

AlphaSOC detected an unexpected use of AWS CloudFormation APIs to modify infrastructure, including creating, updating, and managing stacks, stack sets, and stack instances. AWS CloudFormation is a service that enables organizations to automate the deployment and management of cloud infrastructure through Infrastructure as Code (IaC). These unauthorized modifications can threaten the security and integrity of an organization's AWS environment and should be investigated.

Impact

Threat actors could exploit these AWS CloudFormation to establish persistence, escalate privileges, or deploy malicious resources.

Severity

SeverityCondition
Informational
Unexpected action, ASN, user agent or region
Low
Two unexpected properties at the same time
Medium
Three unexpected properties at the same time

Investigation and Remediation

Analyze AWS CloudTrail logs to determine the source and context of the CloudFormation API calls and verify if the actions were authorized. If not, review the templates used and resources created or modified, identify unauthorized modifications and revert them, revoke IAM credentials associated with the unauthorized API calls.

Known False Positives

  • Legitimate updates performed by authorized DevOps or cloud engineering teams
  • Testing or development activities in sandbox or non-production environments